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(54) SYSTEM AND METHOD FOR CONVERTING KEY 

(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a key conversion system 
for deterministically and reversibly converting the first key value of a 
first communication system into the second key value of a second 
communication system 

SOLUTION: The key conversion system generates a first 
intermediate value from at least a portion of the first key value by 
using a first random lunction. At least a portion of the first 
intermediate value is provided to a second random lunction for 
producing a second value. Exclusive- OR(XOR) is preformed on at 
least a portion of the first key value and at least a portion of the 
second value and a second intermediate value is generated. At least 
a portion of the second intermediate value is provided to a third 
random lunction for producing a third value. By performing 
exclusive-OR on at least a portion of the third value and at least a 
portion of the first intermediate value, the key conversion system 
produces at least the first portion of the second key value, and at 
least the second portion of the second key value is produced as the 
second intermediate value. 
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l>E*?jWftWT'*£ 0 fc££E£, f»>^rA(t 0 
2<DHffi©4>& < £ fefS2©gP^>^:03CD^>^AM^ 
fC^j?L Hl3©fB£^T£ 0 H 2 ©$tffi©4>& < £ i> 

^>#ABBifc*Jgt>T, gl^f^-X^AE^ fill CD^ Pel 
ffl3^6H2COtt%^U, H2tDffi£, Iff 2 CDglflCDlil 



tmm 2 0 0 2 2 3 2 4 1 8 
10 

XfA(J, m 2 tDSSffiO E3 £ ^ 

^rfe, 3&2<DHffiEi^g&cW£3ft&^ 0 
[0 0 2 3 ] *^CDffeco^^fcJ:^rJ^tJ^ £(TCCtB 

[0 0 2 4] 

^4fi«t5 B M^^-X^AE*. Itl ©ffifi^X^r 
ACDmfcTy h<Z)$tfiI£:, 13 2 CD jiff :>^A<Z)n E h 

STC&i, -ecDSi^jfe^^-rAEi, 3o©7>^AMt 
Tl*Sn -m tf ^ b 7 s — £?rj&cv ^ t*>^b, ^>#A 

5>^a^^^jI/-c*0, A^J^A^nSJKtc, PI D 

[0 0 2 5 ] ^(Dmm^X-rMX, m\fv h«ffl^^ 

■^AEcMSW^tcEJ, ®2cDMff ^XrACDn b •> hit 
^feSh, H 1 coffiffv-^T-ACOmt; v FSItcKSi 

[0 0 2 6 ] -ecDHSa^SiCCtEDT, jteSS^^- v h^, 

2ocD4ff^aft^>^^Ararn— ^ >^-rsi^cc, 



(7) 



11 



tc, HI5CDIS-4 1 3G-fe^^'Jf^^, VL 
R8 OteJ:^^^^ b 1 2 0 (fe-Sl^il 2 2 ) frc 
*5l=»T, 5 2 0 f^ hVPM^VLRl 1 0^6§fl$ 
nfc64t^hSMEKEYiI^Wt, 128 b 
^ hCKisiy/Sfc 1 2 8 tf^ h I KCC^TSc a? 

A*6 2 >^TSIS&C, I 

S-41 3G^ a 'Jf^SB, VLRSOteJcO* 
MJl^^ b 9 0 (&£OB9 2 Mcfcl^T, 12 8b* 
? FCKfciy/J/cB 1 2 8 b? b I K£r, 64^7 
F S ME KEY iffl^^bttfc 5 2 0 b * F V P MtC^ 
3ft-rS 0 VLRSOti, VPMfciO'SME KE Y£V 
LR 1 1 0 CCtlffiTS. 

[0 0 2 7 ] 0 7&C^Sft&J; F^2 
G CDMAWfW 3 GS^-X^AfCU-^ > #T 
Sl^tc, I S-4 1 3G-fe^^ T Jr^S^ VLR 
8 0feJ:O*«l^^ ■> M 2 0 12 2) tcte 

t^T, 4 2t'^ hPLCM^VLR 1 1 0#»6^»3ti 
fc6 4b ^ F SMEKEYiil^ft, 12 8b* 
hCKtei^/Sfc 1 2 8 U 7 h I KtC^jfe^ra H j£ 
tc, 13 8 J: iI^-;F^3G^f 

A*6 2 G C DMA^fAKP- 5 >^r6I^C, 

IS 41 3G-i2t^yf^aB, VLRSOteJ: 

i^iia^^hgo (abso^ag 2) tctei^r, 128 

y b SMEKEYiI^Mfc4 2 b * b PL CMtC 
S^T5 0 V L R 8 0 PLCMfciySMEKEY 
^VLR 1 1 OtCjifitTSo 

[0 0 2 8 ] 0 9&C^Sft& J: F-3^2 
G GSMV^rA^63G UMTS^rAtCtt- 
^>^TSPStC, UMTS 3G-fe^^'Jf ^Si, 
VLR 8 0*iJ:O^^^^ h60 (*>Sl^«6 2) tc 
*5l>T, VLR5 0#>6S{f3*T,fc6 4b* FK G 

12 8b* bCKfciO'/Sfc 1 2 8 b * b I KKSBl 

*r£ Q fficc, n i o &c7S$ns<£ mi^^f^ 

3G UMTS i/XfA^ti 2 G GSM^^fAKP 
-^>^S^tc, UMTS 3G^^^'Jr^S 

VLR8 0fcJ;^«fi^^9 0 (&&^B9 
2) tCfe^T, 128^7 FCKfei^/J&B 1 2 8 
b* F I K£, 6 4 b* FK C tcS^TSo VLR 8 0 

K c SVLR5 0&CgiT5 o 
[0 0 2 9 ] OfctfS^T, S>SHiS?|5Si-C&3:, ffOl^3 
GifflvxrAOJ:^^, mi ©fift^-X^Atcfci* 
r, ^»£fofcflnA#f£fiE (esa) tecfc^5fc«3tifc 

jpa*^^-t^^- (esp) i£tti&-r2>m t m^~y f 

a, ^C0^^^/^^-^&- F4HgL, *^2G T 
DMAffifi^;*<rA<DJ:5Ec, H2 0ilfi^^T*Atcte 
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h^, E S PCC^U^t^l^2©jLlff i/Xf AOJi 
te, MS C^<DV^r-AH^^> F^^CD^CC, ftfe(Z)ff$ 

26D 



50 



jiff ->Xt~A*xcd^> F^^iftgi StiS i*. 
ft^^rAlt ffUUfitl <DMfi^*^A<Dfc&<DiMi 

-fv FMSCtC^ff SnSC £#h?£5 0 H^&v'.X 

I»>XrA?:ffll^I lcDffiff^^^AilHlt;^ 
^HfftSCi&CJ: 0 , J^CDffiff^^ACD/c^Ogl 

[0 0 3 0]^©«f^XfA^ 01©^XrA^ 
6©St*SS2CD^^A^6C0^tCV^ fc*>^U, £6 
tcff^TcCcMTc tctXU., 3 Gffltff ^XfAi 2 G 
TDMA^fAi©fflt^XfA^> b^^ff 

-rsp^tc, ^Qgt^jfe^x^Acs, Hf-st^cK*. vp 

MASK/SMEKEY (VS) *fCC v * b > £ C 

tt^rWfSo 1) 128tf7hCKtt5 8 4tfv hVS 
tcv*b>#$to£ 0 2 ) ^cDHt^FfMWr & *) , 5 
8 3 b * b VS#n 2 8 b* bCKSCi^C^* b>^3 
toS Q 3 > ^Offifgtt, 5 8 4 b* biStD— BB#! 
Tfe, ftA^CKI:ffK#&^J; 5CC&&#\ 12 
8 b* HCKO-WWoti), «A^5 8 4b' 
* b VS«rW*T#&l^J:5tc&SMi!*r^r*S 0 

* b©^2CDafi^^7" 
AJ; 0 A£&glffi*W-r£gl 1 Ojlff ->x-r A&cfct>T 

ACDgttl*, !|2©aff^X7 : -ACDttf[itCV^ b>^T 
HI COfflff ^^ACOfca&Of^CDilffitCVy t:> 

^"r -2> a* , ^o^ffltt«*7]cDitffl i Mir u *> h d r a & 

[0 0 3 1 ]fc£^.il 2G T DMA^Xf At#f 
T^»ll^t, 3 GWfA^>XfAH^> F*74H 
tf^^l^CC, Iffr>XfAtt VPMASK/SME 
KEY (VS) >fr*Hi-£fHCK&CV? f>^tSCi*i 
rg5 B CKDSIflS^fiRrB, 5 8 4b^ 

hVS^l 28 b ^ b CKCCV ^ fc">^-rS 0 *8*g^^- 
b^2 G TDMAVXf AiC^y b ^ ^ UTl^jg 
^tca, «l^fAH, 128b ^FCK* 584 
tf^ bVS(CV7b>^Ltim ffUOS 8 4b ^ 

hVSit *fiJCD5 8 4U7 b V S^mWUtj;^ 
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[0 0 3 2 ] CCD^Jfe^filrB, W^^rAit ff 

"rA<D?c&><D, E S Pit(Dj:5&itffi£, *0=>:/^>f^ 

tt, -€-©^j^68#ett, frUt^lS 1 ©ffifg^^AGcfefr 
512 8b^hCK£, *l^2CDMff^XrACD/c^ 
<Z)V PMASK/SMEKEY ( V S ) $mcm%TZ> C 
£tC%£ 0 VPMASKBS^7lSjO«^CC2 6 0 b>> h 
SMEKEYS, *^ilff^X^AtC 
J:otffll^n^5 8 4 b^ hCDt§^fC6 4 b>> bg 

*SCi*Sfffl&»^*5 fl ^fflft^^Atiffb 

^T^rSff L^aff^X^AfCfiat-^T:^6 5 0 5 8 4 
b-y hSt<D^#B#tC, 



&f Ul^lff i/XfAtt 12 8b 
[0 0 3 3 ] hfci^MSCCCteOirf^S 

CiCDra^tS#a*3EjftT-SC<t*^ii*"r, CK£V 
[0 0 3 4] 5 *l^ffl{f ^X^Ap^tDgS^tCcfco 

A 63: pj IWr & n &i & 6 & I ^ * to &c k #» ;b 6 
flfftT SCim5 0 C cd^iJ &c fc £it^f^> xfA 



(8) #i2 0 0 2 2 3 2 4 1 8 

14 

#&l> 0 CtDmSB, VPMASK©- gBfl*fl&<DgR#J: 
9^gteW£3to&»^&9 , VPMASK^MS 
M E K E Y J: 0 S S tc W£ $ to S *§ ^ & £ GD~C S^^C 

It L t CC « , « A^« C K tc > =b#> £ C £ 

[0 0 3 5 ] i-S^Jfe^Sg-CB, J t<Dm%m&%2-J<D 

i> 0 3 Gaff ^XrA^S 2 G TDMAHr>XrA 
^OP- ^>WIt1^ JIK&[Sl^ft»IB», 12 8b 

5 8 4 fcT y h V SSttCffiSETSo i!WffilS»*ffiB, 5 
8 4 b ^ h V S 0 , ^ to£r 1 2 8 b y h C K 

20 fg&i, ^CDA^*^>^A&a^rccv^ b">^TS3 
r mu S C i 3&sr * SfilH S fifc 5 > ^ A Htfer & 

til 2 8 b f y hA^^4 5 6 tf y h-7>^AffitCv^ b 
30 h«4 5 6 b ^ hA*^ 1 2 8 b^ h^>^A 

[0 0 3 6] il HJ, Hi (Dlfr>XrA(Dme7 h 
MfBKE Y 1 £rid2CDafi ^fA©n b^ h«ffiKE 
Y2 tcS*TSfcfe(DS^»^^^A<Dja*lSjS»<D— 

AMi^f (^07^200) me.h, 5>3^ABga 
i^b^i cD^rafaRtc^y t 4 >m„ 3 Gaftv-^^ 

A^6 2 G TDMAIf^fAfCP- = >^TSfi f K 
40 tft^XrAI^ 128tfyfiCK45 84tf 

7H(VPMASK, SMEKEY) tcS»t5 D 1 
28b>hglCKB, z?>$J±Mm.f (^n^20 
0) GC^£6to, 7>^AIifm 2 8 b^ hCK 
4 5 6 b ^ h^>^A^&Sl^iHl CDtpMffiRCC 

2 10)Cc:^^6n, 7>^Alih^ n-mb^h 
^r— ^^rj^mb V ^>^ s AiS:tCv^ t 4 >^f5 G HBi£ 
h (210) Omb ^ bm^B, mb ^ h KE Y 1 £BE 
ffiWi^ISffl (XOR2 2 0 ) mb^ h0f 2 

50 <D^IWttT#i£/£$ft£ 0 3Gaff^^.v"A^6 2GT 
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*h*raffiR»M*feh (2 10) {c^±hti^> 0 Mt£h 
(210) ti4 5 6 tfyHR4128tf^h7>?A 
t^C^t:>^U -e<D^>#A|fctt 1 2 8 hCK 
iOSFffi«JiftaW i &i6n, 1 2 8tfv KDffi2<Dtpra 

[0 0 3 7 ] 01 1 CDSISfe^Sgrti, mt7 Y ^rslfflT 
B\ 7>^A«g (^P v % 2 3 0 ) fC^;i6to£ 0 
7>#AB8ifcg 7^2 3 0 ) ti, mU? hf*— £ 

^n-mtf"? f-^>#A$StfCV? t*>^U ^<Z>^> 
Wn-mb'> h™fflRiSfffiStHtffiffi (XOR 
2 4 0) ^i^n, l~?(Dgl ai^OSt* Sl=»BSI<D^ 

2<D^g|5r*S 0 C<D||SfiJ15Sirti, ntf^bglKEY 
2ti, mt:^ ^tDH2CDcpraffiTiifeCC, n-mt ^ 
F-ffiV*$t* 0 3Giiff^X^A^6 2G T D MAiS 

(2 3 0 ) t£ 1 2 8 I- WflffiT* 4 5 6 t'^7> 
#AiWCV^ t: ^<D<5>#Ai&W:4 5 6 ^ h 

*|IH^£©WffiftIftffiW (XOR2 40) 
45 6^7hiiV«^n^ 0 4 5 6 b7httVfc 
: 1 2 8 b H^fiBfiT^, 2G TD 

MA^f A<Z)fc6(DVPMA S KfciffSMEKEY 
fc#SiJT£C£#^*£5 8 4^7 HflKE Y 2 £?fj 

[0 0 3 8 ] 3G^fAOCK^6 2G TDMA^> 
XrA(DV PM A S KfeJ: O'SMEKE Y^CDJfB^^ 

1. R= f (CK) /* f £fiffiT£C££ci;0 1 
2 8 b ^ bCK^64 5 6 b ^ MB£fE)S* / 

2. T=h (R) XOR CK /* h»tl 
2 8 fcf* MlISfMt* / 

3. V=s (T) XOR R /* g*ffll^4 5 

4. m*T, V /* 5 8 4f-> H®*[ftfj* / 
[0 0 3 9 ] 0 1 2 tt, H2COaff v-Xr-ACOn tf y h 

HffirKE Y2§, H 1 cDMff^X^ACDmb ^ F-UffiK 

E Y l tc^orM^/c^oa^ft^x^Acoffi^^ 

tf y F-gtffiKE Y2ti, n -mtf? <DSfl#;ft& 

2 5 0) £C^7t6ti, 7>^AiSgtt mt^f- 
#^ij£rn -mfcf^ h^>#Aifcfc:vy f>^t5 fl n- 
mtfv V ^>#Aife{£, n -mtf^ hStfflV <hSPfltWI& 
IIP (XOR260) ^i6n, n-mU^ KDglO 
£firafaR^*JS$to& a > h^3 G'>XrA^ 

62 G TDMAv'XfAtCP-^>^LtMSMr 
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tt, ^r>^T~A^ 5 84tfy hi (VPMASK, 
SMEKEY) SI 2 8^7HCKtC^ft1-5 0 12 
8b^h$lffgP5>T^ ^>#AMS£g (^D^25 
0) t£^6to, 7>^AiigCil 2 8^^ hTS4 
5 6 b ^ h ^>^AiSctCV^ f>^tS e 4 5 6 b v h 

^>#a»», 4 5 e tr ^ bmmvamf&mwmm (x 

OR2 6 0) Si6tl, 4 5 6 ^ KDSl CDtprafflR 

[ 0 0 4 0 ] 0 1 2 (D|QfeJf2JlT* tt, h CD® 

10 l©^rattRtt^>^AMISh (^P^^2 7 0 )CC# 
£.6to-2> 0 ^>#AMifch (:/P ^2 7 0) [t n 
mlf? hf-^'JSmb^ h^>#AiMc^b°>^ 
U m^^7>yAll mb '-^ h glffi T £ SMI&Wffo 
Iftl (XOR2 8 0 ) ££6tl, l^CDSI, «Sfc<D«& 
£W*it<D— g|5£ Lt^SCiOTJSm^^ bSSfB 
KEY1^3nS 0 «a^^^3GVXrA^ 
62 G TDMA^fAicn^- 5 >7Xri^Mr 

7>^'Aiih (7"a^2 7 0) 4 5 6 b> 
h^fUKtRS 12 8^7 h ^>#A$t&tv* b*>^U 
20 1 2 8 fcf ^ I-^>#\A85ct3\ 1 2 8 b > FiHtST iSPffe 
WifelfD (XOR2 8 0) 4(f:6^ 1 2 8 b ^ htlC 

[0 0 4 1] 2G TDMA^fACDVPMASKis 
iffSMEKE Yfr>6 3 G->X -r ACDC K^cDffi^^ 
J^tt, J^TOX-r^ :/GcLfc^T»^t~C£;^£ 

'So 

1 . T\ V£5 8 4 fcf * F-A^fcHSE /* Tfctl 2 
8tr^F-gG£\ V«4 5 6 e* hgftfr* / 

2, R=g (T) XOR V /* T\ 
30 T 4 5 6 b ^ h (BR 3rfB&* / 

3, CK= h (R) XOR T 

[0 0 4 2] 7>^Aiif, gfcjz^hti, J^vzs* 

i^TSSo ^>#A^^;b£P¥^C£^r^£, ^ 
>^Altf, gteJc^hSH^^rSfctotC, S HA — 
K MD5, R I PE-MD£LT*a6*iS@SiS:<DJ:5 

h">^TS£l£tc?5:-5 2o©A*^W^ 
T#&^ 0 SHA-l^r>^iMl^S^ SH 
A- 1 /^ ^->^M^©§PfHbUtil 6 0 ^ btJim^ 
$Y)l> (IV) S^L, 1 60tf^ l-atftfcv^ fc">^ 
^n§5 1 2 tf * b A**Sl^B^-ra- F45TS„ 
IVtiSHA- 1 ^ ^ ^^MSfc<Dfc6&cr)©?i*ItStcS» 

50 i5[, SHA (Type, Count, Input, Pa 



(10) 
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d) £$t?~C&*>5 0 /c/cLTypeKg^(Diif , 

sHA*fsjafepfe>*arcitcao, counts 

©PfffiL*KS0T5 l^V HBrft5 0 InputBH 
ifcf, gS>SmJh-^CDA^5IIS"C&a o Padt£5 1 
2 tf v b S HA^-YU- FftCDSIO<Dtf ^ b95#*S&> 
&fc&(D0fiIr*& o jyTtClEt8SnacD&J, SHAi 

SHA (Type, Count, Input, Pad) 
f (CK) : SHA ( l t 1, CK, pad) 
, 2, CK, pad) 
, 3 4 CK, pad) mo d2 ~ 13 6 
SHA (2, 1 , R, p a d) mo d 2 " 1 



2 0 0 2 
IS 



2 3 2 4 18 



SHA ( 1 
SHA ( 1 
h (R) : 
2 8 

e (T) : 
SHA (3 
SHA (3 



1 3 6 

t£f\ sis J: 



SHA (3, 1 , T, pad) 

2, T, pad) 

3, T, pad)mod2~ 
AE S(DJ: * #Hi-^£/BOT, m 

f (CK) : E c k ( 1 ) ; E c K (2) ; E 
c k (3 ) ; E c k (4) mo d 2 ~ 7 2 
h (R) : E K c (Rl XOR 5)XOR E K 0 
(R2XOR 6) XOR E K o (R3 XOR 
7) XOR E K o (R4 XOR 8) 
g (T) :E T (9) ;E T (10) ;E T (11) ; 
E T ( 1 2 ) m o d 2 " 7 2 

tctcL, f (CK) tcfcl^r, CKtir/P^Hf-SfftCD 
iiOtffll^n, 5 1 2 t: ^ FX b V-MX£!*y>5 
RC*5(,>T 1 . . . 4£Hi-^ffcT£C£CCj;9£/& 
3ft ^f^CDBf-^Ci 1 2 8 fcf ^ F-#>£7 2 t ^ RcfJ 

■^wen, ^isn64 5 6 h^iens. h 

(R) fC^t^T, ^liKOS, 4 5 6 tf^ hRCDg|S# 

9U^St=»CCSffi&WI&afil*i6nSc RK R2te<ttf 
R3«12 8^7hfr^^ R4ttRCDg|0CD7 2 tf 

> hfirc$>^ 128^7 h£3£jS3tf£fc<*&cor« 
tf)e>ft£ 0 

[0 0 4 3] CUT, IfI^XfA(t Hi ©jiff 
t~ A £ IS 2 (Dilff >^ 5r A £ (DRi!<DSt& & I > 

So tli^KEY2 (fc£;U£, 

T\ V) OA3B»^^.6nS£#r*fe, ftAf^KE 
Yl (tc±%.U, CK) SCi^Ttft^il^ 
JII^|aJtCtel^T^r*S 0 2G TDMAi 
3 G^-X-rAJ&ffili-S^J-CtJ, TCD^T, tecfc!^ fc£ 

R=g (T) XOR V^ltSLTSCitCcfc^ 

r, r<d— suaw*-rac£*5rss^ r^tb* 

rSSbtftB&^c CK-h (R) XOR T£rH 
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20 



30 



40 
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£, h (R) tColirlflfiCDl tf^ bfcO ifeB^TS 
C£^r^&i^ 0 ^fts$^, CKtcoi*rftfB£W*:T 

6 4 h*|^< TCD^^fc3&»SJS^r*oT&, C 

Wiifc&'hW'VlXft^tclb, g (T) XOR V^rffl 

WBfilRSffl^&tffttf, CKtco^rcD&6®&1#$R 

[ o 0 4 4 ] imSltC. f(DiSSWfAB, m^JKE 
Yl (fciitt CK) CDASI^^^ftTk, ttA 
f^KEY2 (?c<L?LU, T\ V) ^SatSEli^ 

ti, 2G TDMAfcJ:y3G^f ASft^Wr 

Sfottrta&^fcS), f (ck) ^rffli^r^rHlfaR^lt 
tc, 5fc&citt*c £#sr 

[0045] ±iao^Jtof^tc*njir , ^mm<Dmmc 

l>tcfr-j tcm^Mi/ ^fAB, A^ * -7 ^ - 3? J: ^/ 

mt^ hf^- £^J£:n -m t; ^ h ^>#A£StfCv> ^ t"> 
^L, ^>^A^^^;bh^n -mt hf— ^^ij^rm 

At7^Jl/f, gteJ;^h£:JBl^T, Slcoaff^X^ 
ACDntf^ b«£®2 CDfflff->X^ACDm tf ^ hSt£CD 

^>^A^tC^^^>^L, *V^fctty tfy h^- 
»JI:x^7 h^>^A^CCv-> b^^tStliA^* 
%> 0 tcfcL, x afeSl^iy 1^ n - m$>Sl^l^mtc^U < 
TSCi^ttSo 3 m 1 CDMff^X^ACDmb" 

^ f«fB^ loot ffllK©SI*Si^i^cr)— SPiur 

ffll^C£^^, ^2cDMff ->X^ACDn t ^ hil 
%l-o(Dm, fflSS[<DStS>St^J-ecD— g|5£ Ltffll^C 
£^r*#S D /c£^tf, 2G TDMAfeiy3G^ 
■rA^rfflt^S^J-rti, -ecD^^CJ, 3G->X^ACD12 
Stf^bCKi, 2G TDMA^rACDSMEKE 
YfcitfVPMAS KCDfcS5(D5 8 4t'7 I-Hffi£(D|ffl 

I K <Z) 2 5 6^7 h St fit £ , 2G TDMA^XfACD 
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SMEKE Yfc<tO'VPMASK<Z)fca!)(D5 8 4 tf y b 

mm i ©ra^f t>n scifertsw^ 

[0 0 4 6] _hfE<Dl5!lr&i, JW^^?^ ® 1 ©fflft 
VXfAOm^^ F£lfB^6Sl2 (DMiW ^>^rA(?)n fcf 
^ h@tffi^ff;bfo, 0 1 coilff v^-rAtJff H^jffiff ^> 
X 7^ ACC*f JS U IH 2 (DMiWisX A t^Ujlit 7^ 
A&CjtfJLEU m<nt*S 0 L#>LEc#i6, SUSJKBsKl 
iotit Iff 1 Ojlff ^X^A^^Mft^X^Ate; 

ACD/hS ^ A XcDiSfifr> 6S'Jcoaff v'X Acdt^ i> 
fcfv F1^Xcd«{B^cd^J^U iS^lnj^jft*, A# 
^t^;ff^ X<D§Sf@^ 6 3 I ^ -f XcDSUB-^ <Z>SJ* 

cc/h s & Xfe J: 2>VS fctiim D-F ^ xogtffi©^ 

[0 0 4 7] 5 ^CO^Jft^X^A^rffl^r, HI 

r, abSfflff %/X7~2*ij>*><D 1 otDSi, ffit£cDfit£>£t^ 20 

AlSiEM, *-An^r-^3>l/^x^ (HL 
R) , *-AMSC, e^i?-|SfiEM, t^£-Pi5r- 
->a>U^X^ (VLR) fciy/JfcB^i/^-MS 

MSC, VLR, HLR*Sl4iffetD1f ^>X^A 

n«, *«w©ra^o^=&a*r^isi*tc«ajs3n 
h ^ j: tfie« ^ns j&^ki atEffl jisjb ^ 



Si2 00 2 2 324 18 
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t§ci^<, *^tc*ff seine *jJ:cks^o 

[0 0 4 8] 
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(57) ABSTRACT 

The present invention is a key conversion system for deter- 
ministically and reversibly converting a first key value of a 
first communications system into a second key value of a 
second communication system. For example, the key con- 
version system generates a first intermediate value from at 
least a portion of the first key value using a first random 
function. At least a portion of the first intermediate value is 



provided to a second random function to produce a second 
value. An exclusive-or is performed on at least a portion of 
the first key value and at least a portion of the second value 
to generate a second intermediate value. At least a portion of 
the second intermediate value is provided to a third random 
function to produce a third value. By performing an exclu- 
sive-or on at least a portion of the third value and at least a 
portion of the first intermediate value, the key conversion 
system produces at least a first portion of the second key 
value, and at least a second portion of the second key value 
is produced as the second intermediate value. The key 
conversion system is reversible or bi-directional in that, if 
the wireless unit is handed off back to the first communi- 
cations system, the second key value of the second commu- 
nications system is converted back to the first key value of 
the first communications system. For example, the key 
conversion system provides the at least second portion of the 
second key value to the third random function to produce the 
third value. The first intermediate value is generated by 
performing an exclusive-or on the first portion of the second 
key value and the third value. Using the second random 
function, the key conversion system generates the second 
value from the first intermediate value and produces at least 
a portion of the first key by performing an exclusive-or on 
the second value and the second portion of the second key 
value. 
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KEY CONVERSION SYSTEM AND METHOD 

BACKGROUND OF THE INVENTION 
[0001] 1. Field of The Invention 

[0002] The present invention relates to communications; 
more specifically, the conversion of keys for first and second 
communications systems as the wireless unit roams between 
the first and second communications systems. 

[0003] 2. Description of Related Art 

[0004] FIG. 1 depicts a schematic diagram of first and 
second wireless communications systems which provide 
wireless communications service to wireless units (e.g., 
wireless units \2a-c) that are situated within the geographic 
regions 14 and 16, respectively. A Mobile Switching Center 
(e.g. MSCs 20 and 24) is responsible for, among other 
things, establishing and maintaining calls between the wire- 
less units, calls between a wireless unit and a wireline unit 
(e.g., wireline unit 25), and/or connections between a wire- 
less unit and a packet data network (PDN), such as the 
internet. As such, the MSC interconnects the wireless units 
within its geographic region with a public switched tele- 
phone network (PSTN) 28 and/or a packet data network 
(PDN) 29. The geographic area serviced by the MSC is 
divided into spatially distinct areas called "cells." As 
depicted in FIG. 1, each cell is schematically represented by 
one hexagon in a honeycomb pattern; in practice, however, 
each cell has an irregular shape that depends on the topog- 
raphy of the terrain surrounding the cell. 

[0005] Typically, each cell contains a base station (e.g. 
base stations 22a-e and 26a-e), which comprises the radios 
and antennas that the base station uses to communicate with 
the wireless units in that cell. The base stations also com- 
prise the transmission equipment that the base station uses to 
communicate with the MSC in the geographic area. For 
example, MSC 20 is connected to the base stations 22a -e in 
the geographic area 14, and an MSC 24 is connected to the 
base stations 26a -e in the geographic region 16. Within a 
geographic region, the MSC switches calls between base 
stations in real time as the wireless unit moves between 
cells, referred to as call handofL Depending on the embodi- 
ment, a base station controller (BSC) can be a separate base 
station controller (BSC) (not shown) connected to several 
base stations or located at each base station which admin- 
isters the radio resources for the base stations and relays 
information to the MSC. 

[0006] The MSCs 20 and 24 use a signaling network 32, 
such as a signaling network conforming to the standard 
identified as TIA/EIA-41-D entitled "Cellular Radiotele- 
communications Intersystem Operations," December 1997 
("IS-41"), which enables the exchange of information about 
the wireless units which are roaming within the respective 
geographic areas 14 and 16. For example, a wireless unit 12a 
is roaming when the wireless unit 12a leaves the geographic 
area 14 of the MSC 20 to which it was originally assigned 
(e.g. home MSC). To ensure that a roaming wireless unit can 
receive a call, the roaming wireless unit 12a registers with 
the MSC 24 in which it presently resides (e.g., the visitor 
MSC) by notifying the visitor MSC 24 of its presence. Once 
a roaming wireless unit 12a is identified by a visitor MSC 
24, the visitor MSC 24 sends a registration request to the 
home MSC 20 over the signaling network 32, and the home 



MSC 20 updates a database 34, referred to as the home 
location register (HLR), with the identification of the visitor 
MSC 24, thereby providing the location of the roaming 
wireless unit 12a to the home MSC 20. 

[0007] After a roaming wireless unit is authenticated, the 
home MSC 20 provides to the visitor MSC 24 a customer 
profile which indicates the features available to the roaming 
wireless unit, such as call waiting, caller id, call forwarding, 
three-way calling, and international dialing access. Upon 
receiving the customer profile, the visitor MSC 24 updates 
a database 36, referred to as the visitor location register 
(VLR), to provide the same features as the home MSC 20. 
The KLR, VLR and/or the authentication center (AC) can be 
co-located at the MSC or remotely accessed. 

[0008] If a wireless unit is roaming between wireless 
communications systems using different wireless communi- 
cations standards, providing the wireless unit with the same 
features and services in the different wireless communica- 
tions systems is complex if even feasible. There are cur- 
rently different wireless communication standards utilized in 
the U.S., Europe, and Japan. The U.S. currently utilizes two 
major wireless communications systems with differing stan- 
dards. The first system is a time division multiple access 
system (TDMA) and is governed by the standard known as 
IS -13 6, the second system is a code division multiple access 
(CDMA) system governed by the standard known as IS -95. 
Both communication systems use the standard known as 
IS -41 for intersystem messaging, which defines the authen- 
tication procedure. 

[0009] In TDMA, users share a frequency band, each 
user's speech is stored, compressed and transmitted as a 
quick packet, using controlled time slots to distinguish them, 
hence the phrase "time division". At the receiver, the packet 
is decompressed. In the IS- 136 protocol, three users share a 
given carrier frequency. In contrast, CDMA uses a unique 
code to "spread" the signal across the wide area of the 
spectrum (hence the alternative name -spread spectrum), and 
the receiver uses the same code to recover the signal from 
the noise. Avery robust and secure channel can be estab- 
lished, even for an extremely low-power signal. Further, by 
using different codes, a number of different channels can 
simultaneously share the same carrier signal without inter- 
fering with each other. Both CDMA and TDMA systems are 
defined for a Second Generation (2G) and Third Generation 
(3G) phases with differing requirements for user information 
privacy or confidentiality. 

[0010] Europe utilizes the Global System for Mobiles 
(GSM) network as defined by the European Telecommuni- 
cations Standard Institute (ETSI). GSM is a TDMA stan- 
dard, with 8 users per carrier frequency. The speech is taken 
in 20 msec windows, which are sampled, processed, and 
compressed. GSM is transmitted on a 900 MHz carrier. 
There is an alternative system operating at 1.8 GHz (DCS 
1800), providing additional capacity, and is often viewed as 
more of a personal communication system (PCS) than a 
cellular system. In a similar way, the U.S. has also imple- 
mented DCS-1900, another GSM system operating on the 
different carrier of 1.9 GHz. Personal Digital Cellular (PDC) 
is the Japanese standard, previously known as JDC (Japa- 
nese Digital Cellular). PDC is a TDMA standard similar to 
the U.S. standard known as IS-54 protocol. 

[0011] The GSM network utilizes a removable user iden- 
tification module (UIM) which is a credit card size card 
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which is owned by a subscriber, who slides the UIM into any 
GSM handset to transform it into "their" phone. It will ring 
when their unique phone number is dialed, calls made will 
be billed to their account; all options and services connect; 
voice mail can be connected and so on. People with different 
UIMs can share one "physical" handset, turning it into 
several "virtual" handsets, one per UIM. Similar to the U.S. 
systems, the GSM network also permits "roaming", by 
which different network operators agree to recognize (and 
accept) subscribers from other wireless communications 
systems or networks, as wireless units (or UIMs) move. So, 
British subscribers can drive through France or Germany 
and use their GSM wireless unit to make and receive calls 
(on their same UK number), with as much ease as an 
American businessman can use a wireless unit in Boston, 
Miami, or Seattle, within any one of the U.S. wireless 
communications system. The GSM system is defined as a 
Second Generation (2G) system. 

[0012] The third generation (3G) enhancement of the 
GSM security scheme is defined in the Universal Mobile 
Telecommunications Service (UMTS) set of standards, and 
specifically for the security in the standard identified as 
3GPP TS-33.102 "Security Architecture" specifications. 
This security scheme with slight variations will be used as 
a basis for the worldwide common security scheme for all 
3G communications systems, including UMTS, TDM A, and 
CDMA. 

[0013] The 2G GSM authentication scheme is illustrated 
in FIG. 2. This authentication scheme includes a home 
location register (HLR) 40, a visiting location register 
(VLR) 50, and a wireless unit or mobile terminal (MT) 60, 
which includes a UIM 62. When the mobile terminal 60 
places a call, a request is sent to the home location register 
40, which generates an authentication vector AV, also called 
"triplet" (RAND, SRES, K c ) from a root key IQ. The triplet 
includes a random number RAND, a signed response SRES, 
and a session key K c . The triplet is provided to the visiting 
location register 50, which passes the random number 
RAND to the mobile terminal 60. The UIM 62 receives the 
random number RAND, and utilizing the root key IQ, the 
random number RAND, and an algorithm A3, calculates a 
signed response SRES. The UIM 62 also utilizes the root key 
IQ and the random number RAND, and an algorithm A8 to 
calculate the session key K^. The SRES, calculated by the 
UIM 62, is returned to the visiting location register 50, 
which compares this value from the SRES received from the 
home location register 40, in order to authenticate the 
subscriber using the mobile terminal 30. 

[0014] In the GSM "challenge/response" authentication 
system, the visiting location register 50 never receives the 
root key IQ being held by the UIM 32 and the home location 
register 40. The VLR 50 also does not need to know the 
authentication algorithms used by the HLR 40 and UIM 62. 
Also, in the GSM authentication scheme, the triplet must be 
sent for every phone call by the home location register 40. 
RAND is 128 bits, SRES is 32 bits, and K c is 64 bits, which 
is 224 bits of data for each request, which is a significant 
data load. The main focus of this description is the 64 bits 
long K c session ciphering key which is used for user infor- 
mation confidentiality. When the mobile terminal roams into 
another serving system while in the call, the session key K c 
is forwarded from the old VLR to the new target serving 
system. 



[0015] FIG. 3 shows the UMTS security scheme which is 
an enhancement to the 2G GSM scheme. Similar to the GSM 
scheme, when the mobile terminal 90 places a call, a request 
is sent to the home location register 70, which sends an 
authentication vector — AV to the Visited Location Register 
(VLR) 80 which contains five elements instead of the three 
elements of a triplet, and therefore is called "quintuplet". 
This vector contains the 128 bit RAND, the 64 bits SRES, 
the AUTN value which carries the authentication signature 
of the home network, and two session security keys: the 128 
bit ciphering key CK and the 128 bit integrity key IK. These 
latter two keys, CK and IK, are the focus of this description. 

[0016] The vector is provided to the visiting location 
register 80, which passes the random number RAND and the 
AUTN to the mobile terminal 90. The UIM 92 receives the 
random number RAND, and utilizing the root key K^, the 
random number RAND, and an defined algorithmic func- 
tions, validates the AUTN and calculates a signed response 
SRES. The UIM 92 also utilizes the root key IQ and the 
random number RAND and defined algorithmic functions to 
calculate the session keys CK and IK. The SRES, calculated 
by the UIM 92, is returned to the visiting location register 
80, which compares this value from the SRES received from 
the home location register 70 in order to authenticate the 
subscriber using the mobile terminal 90. A focus of this 
description are the 128 bits long session ciphering key CK 
and 128 bits long session integrity key IK which are used for 
user information confidentiality and session integrity pro- 
tection. Once the subscriber is successfully authenticated, 
the VLR 80 activates the CK and IK received in this 
authentication vector. If the mobile terminal roams into 
another serving system while on the call, the CK and IK are 
sent to the new target serving system. 

[0017] The 2G IS-41 authentication scheme, used in U.S. 
TDM A and CDMA systems, is illustrated in FIG. 4. This 
authentication scheme involves a home location register 
(HLR) 100, a visiting location register (VLR) 110, and a 
mobile terminal (MT) 120, which can include a UIM 122. 
The root key, known as the A_key, is stored only in the HLR 
100 and the UIM 122. There is a secondary key, known as 
Shared Secret Data SSD, which is sent to the VLR 110 
during roaming. SSD is generated from the A_key using a 
cryptographic algorithm. The procedure for generating the 
SSD is described elsewhere and is known to those skilled in 
the art. When the MT 120 roams to a visiting network, the 
VLR 110 sends an authentication request to the HLR 100, 
which responds by sending that subscriber's SSD. Once the 
VLR 110 has the SSD, it can authenticate the MT 120 
independently of the HLR 100, or with the assistance of the 
HLR 100 as is known to those skilled in the art. The VLR 
110 sends a random number RAND to the UIM 122 via the 
MT 120, and the UIM 122 calculates the authentication 
response (AUTHR) using RAND and the stored value of 
SSD in UIM 122. AUTHR is returned to the VLR 110, 
which checks it against the value of AUTHR that it has 
independently calculated in the same manner. If the two 
AUTHR values match, the MT 120 is declared valid. This 
process repeats when the wireless unit attempts to access the 
system, for instance, to initiate a call, or to answer a page 
when the call is received. 

[0018] In these cases, the session security keys are also 
generated. To generate session security keys, the internal 
state of the computation algorithm is preserved after the 
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authentication calculation. Several session security keys are 
then calculated by the UIM 122 and the VLR 110 using the 
current value of SSD. Specifically, the 520 bits Voice 
Privacy Mask (VPM) is computed, which is used for con- 
cealing the TDMA speech data throughout the call. This 
VPM is derived at the beginning of the call by the UIM and 
VLR, and, if the mobile roams into another serving system 
during the call, the VPM is sent to the new serving system 
by the VLR. When the call is concluded, the VPM is erased 
by both the UIM and the serving VLR. Likewise, the 64 bits 
Signaling Message Encryption Key (SMEKEY) is com- 
puted, which is used for encrypting the TDMA signaling 
information throughout the call. This SMEKEY is derived at 
the beginning of the call by the UIM and VLR, and, if the 
mobile roams into another serving system during the call, 
the SMEKEY is sent to the new serving system by the VLR. 
When the call is concluded, the SMEKEY is erased by both 
the UIM and the serving VLR. 

[0019] The 2G CDMA scheme uses a similar method of 
key distribution, except, instead of the 520 bits VPM, it is 
using the 42 Least Significant Bits (LSB) of the VPM as a 
seed into the Private Long Code Mask (PLCM). This PLCM 
is used as an additional scrambling mask for the information 
before its spreading. The 42-bit PLCM is consistent through- 
out the call and is sent to the new serving system by the VLR 
if the mobile roams into another serving system. The 
SMEKEY is used in the same way as in the TDMA based 
scheme. 

[0020] The IS-41 3G security scheme uses the UMTS 
security scheme, which is based on the delivery of the 
128-bits ciphering key CK and 128-bits integrity key IK to 
the visited system VLR, while the same keys are computed 
by the UIM. 

[0021] Key conversions as a wireless unit roams between 
communications systems should be performed in a way that 
even if lower security of 2G schemes and algorithms is 
compromised and partial keys are recovered by the intruder, 
the 3G session keys would still maintain the same level of 
security. Such conversions will allow a subscriber to "roam 
globally" maintaining the security of communications data 
and integrity of communications session. 

SUMMARY OF THE INVENTION 

[0022] The present invention is a key conversion system 
for deterministically and reversibly converting a first key 
value of a first communications system into a second key 
value of a second communication system. For example, the 
key conversion system generates a first intermediate value 
from at least a portion of the first key value using a first 
random function. At least a portion of the first intermediate 
value is provided to a second random function to produce a 
second value. An exclusive -or is performed on at least a 
portion of the first key value and at least a portion of the 
second value to generate a second intermediate value. At 
least a portion of the second intermediate value is provided 
to a third random function to produce a third value. By 
performing an exclusive-or on at least a portion of the third 
value and at least a portion of the first intermediate value, the 
key conversion system produces at least a first portion of the 
second key value, and at least a second portion of the second 
key value is produced as the second intermediate value. The 
key conversion system is deterministic in that, given a first 



key value, a wireless unit and the wireless communications 
system will determine the same second key value without 
requiring an exchange of information. 

[0023] The key conversion system is reversible or bi- 
directional in that, if the wireless unit is handed off back to 
the first communications system, the second key value of the 
second communications system is converted back to the first 
key value of the first communications system. For example, 
the key conversion system provides the at least second 
portion of the second key value to the third random function 
to produce the third value. The first intermediate value is 
generated by performing an exclusive-or on the first portion 
of the second key value and the third value. Using the second 
random function, the key conversion system generates the 
second value from the first intermediate value and produces 
at least a portion of the first key by performing an exclusive- 
or on the second value and the second portion of the second 
key value. The key conversion system provides improved 
security because even if almost all of the second key value 
is known, the first key value cannot easily be recovered. 
Similarly, if almost all of the first key value is known, the 
second key value is not easily recovered. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0024] Other aspects and advantages of the present inven- 
tion may become apparent upon reading the following 
detailed description and upon reference to the drawings in 
which: 

[0025] FIG. 1 shows a general diagram of wireless com- 
munications systems for which the key conversion system 
according to the principles of the present invention can be 
used; 

[0026] FIG. 2 is a block diagram illustrating the basic 
components of the prior art 2G global system for mobiles 
(GSM) network and security messages transmitted in the 2G 
GSM network; 

[0027] FIG. 3 is a block diagram illustrating the basic 
components of the prior art 3G UMTS network and mes- 
sages transmitted in the 3G UMTS network; 

[0028] FIG. 4 is a block diagram illustrating the basic 
components of the prior art 2G IS-41 network and messages 
transmitted in the prior art 2G IS-41 network; 

[0029] FIG. 5 is a block diagram illustrating how a user 
roams from a 2G TDMA network into a generic 3G network; 

[0030] FIG. 6 is a block diagram illustrating how a user 
roams from a generic 3G network into a 2G TDMA network; 

[0031] FIG. 7 is a block diagram illustrating how a user 
roams from a 2G CDMA network into a generic 3G network; 

[0032] FIG. 8 is a block diagram illustrating how a user 
roams from a generic 3G network into a 2G CDMA network; 

[0033] FIG. 9 is a block diagram illustrating how a user 
roams from a 2G GSM network into a generic 3G network; 

[0034] FIG. 10 is a block diagram illustrating how a user 
roams from a generic 3G network into a 2G GSM network; 

[0035] FIG. 11 is a flow diagram of an embodiment of the 
forward conversion for the key conversion system according 
to principles of the present invention; and 
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[0036] FIG. 12 is a flow diagram of an embodiment of the 
reverse conversion for the key conversion system according 
to principles of the present invention. 

DETAILED DESCRIPTION 

[0037] An illustrative embodiment of the key conversion 
system according to the principles of the present invention 
is described below which provides an improved key con- 
version for a wireless unit which roams between first and 
second wireless communications systems. The key conver- 
sion system deterministically and reversibly converts an m 
bit key value of a first communications system into an n-bit 
key value of a second communication system. In certain 
embodiments, the key conversion system use three random 
functions f, g and h where random functions f and g map an 
m bit input string into an n-m bit string resembling a random 
number, and the random function h maps an n-m bit string 
into an m bit string resembling a random number. A random 
function maps inputs to outputs such that the outputs are 
unpredictable and random looking given the input. In the 
embodiments described below, the random functions are 
random oracles where every time an input is given it maps 
to the same output. Additionally, in the embodiments 
described below, the random functions are publicly known. 
For example, the random functions are known by the wire- 
less communications system(s) involved in the intersystem 
handoff and the wireless unit. 

[0038] The key conversion system is deterministic in that, 
given an m-bit key value, a wireless unit and the wireless 
communications system will determine the same n-bit key 
value without requiring an exchange of information. The key 
conversion system is reversible or bi-directional in that, if 
the wireless unit is handed off back to the first communi- 
cations system, the n bit key of the second communications 
system is converted back to the m-bit key of the first 
communications system. The key conversion system pro- 
vides improved security because even if almost all of the n 
bit key value is known, the m bit key value cannot easily be 
recovered. Similarly, if almost all of the m bit key value is 
known, the n bit key value is not easily recovered. 

[0039] Depending on the embodiment, the key conversion 
system can provide secure, deterministic and bi-directional 
key conversion when a wireless unit roams between two 
wireless communications system, such as between an older 
communications system and a newer communications sys- 
tem. For example where the same reference numerals indi- 
cate like components, the IS-41 3G security scheme of FIG. 
5 converts, at the VLR 80 and at the wireless unit 120 (or 
122), the 520-bits VPM in combination with the 64-bits 
SMEKEY received from the VLR 110 to the 128-bit CK 
and/or 128-bit IK when the wireless unit roams into the 3G 
system from the 2G TDMA system. Conversely, as shown in 
FIG. 6, the IS-41 3G security scheme converts, at the VLR 
80 and the wireless unit 90 (or 92), the 128-bit CK and/or the 
128-bit IK to the 520-bits VPM in combination with the 
64-bits SMEKEY when the wireless unit roams into the 2G 
TDMA system from the 3G system. The VLR 80 provides 
the VPM and the SMEKEY to the VLR 110. 

[0040] As shown in FIG. 7, IS-41 3G security scheme 
converts, at the VLR 80 and at the wireless unit 120 (or 122), 
the 42-bits PLCM in combination with the 64-bits SMEKEY 
received from the VLR 110 to the 128-bit CK and/or the 



128 -bit IK when the wireless unit roams into the 3G system 
from the 2G CDMA system. Conversely, as shown in FIG. 
8, the IS-41 3G security scheme converts, at the VLR 80 and 
at the wireless unit 90 (or 92), the 128-bit CK and 128-bit 
IK to the 42-bits PLCM in combination with the 64-bits 
SMEKEY when the mobile roams into the 2G CDMA 
system from the 3G system. The VLR 80 provides the 
PLCM and the SMEKEY to the VLR 110. 

[0041] As shown in FIG. 9. the UMTS 3G security 
scheme converts, at the VLR 80 and at the wireless unit 60 
(or 62), the 64-bit Kc received from the VLR 50 to the 
128-bit CK and/or the 128-bit IK when the wireless unit 
roams into the 3G UMTS system from the 2G GSM system. 
Conversely, as shown in FIG. 10, the UMTS 3G security 
system converts, at the VLR 80 and at the wireless unit 90(or 
92), the 128-bit CK and/or the 128-bit IK to the 64-bit 
when the wireless unit roams into the 2G GSM system from 
the 3G UMTS system. The VLR 80 provides the to the 
VLR 50. 

[0042] Accordingly, in certain embodiments, a wireless 
unit that supports enhanced subscriber authentication (ESA) 
and enhanced subscriber privacy (ESP) in a first communi- 
cations system, such as a newer 3G communications system, 
may implement multiple privacy modes to enable the wire- 
less unit to provide privacy using older algorithms in a 
second communications system, such as an older 2G TDMA 
communications system. Such a wireless unit can provide 
other forms of privacy after intersystem handoff to an MSC 
for an older second communications system that does not 
support ESP. When handoff to the older second communi- 
cations system is required, the key conversion system can 
convert the key values for the newer first communications 
system to the privacy keys needed for the older privacy 
algorithms supported by the older second communications 
system. The keys for the second communications system can 
be sent to the target MSC of the second communications 
system from the MSC of the first communications system. 
Since the key conversion system is deterministic, the wire- 
less unit will also have the keys for the second communi- 
cations system by performing the same conversion as the 
first communication system using the key conversion system 
of the present invention. 

[0043] The key conversion system maps a key(s) from a 
first system into a key(s) of a second system and back again. 
For example, when performing an intersystem handoff 
between a 3G communications system and a 2G TDMA 
system, the key conversion system can map a cipher key CK 
into a VPMASK/SMEKEY (VS) pair. In this embodiment, 
the key conversion function possesses the following prop- 
erties: 1) A 128 bit CK is mapped into a 584 bit VS; 2) The 
function is reversible and maps back a 584 bit VS into a 128 
bit CK; and 3) The function is secure in the sense that partial 
knowledge of the 584 bit key will not allow the adversary to 
recover the CK, nor will partial knowledge of 128 bit key 
CK allow the adversary to recover the 584 bit VS. In certain 
instances, for example when the call originates in a first 
communication system having a larger key value than the 
target second communications system, the conversion sys- 
tem maps the key value of the first communication system 
to a key value of a second communications system. How- 
ever, if the wireless unit returns to the first communications 
system, the key conversion system maps the second key 
value to a subsequent key value for the first communications 



US 2002/0071558 Al 



5 



Jun. 13, 2002 



system which is not necessarily the same as the original key 
value. Subsequent handoffs back to the first communications 
system from the second communications system produce a 
key value which is the same as the subsequent key value. 

[0044] For example, when performing an intersystem 
handoff for a call originating with a 2G TDMA system to a 
3G system, the key conversion system can map VP MASK/ 
SMEKEY (VS) pair into a cipher key CK. In this embodi- 
ment, the key conversion function maps the 584 bit VS into 
the 128 bit CK. If the wireless unit is handed back to the 2G 
TDMA system, the conversion system maps back the 128 bit 
CK into the 584 bit VS, but the new 584 bit VS may not be 
the same as the original 584 bit VS. Subsequent handoffs to 
the 2G TDMA system from the 3G system will maintain the 
new 584 bit VS. Although this should not effect the security 
or operation of the wireless unit, the 128 bit CK is main- 
tained the same all along in this embodiment. 

[0045] In this embodiment, the key conversion system 
includes conversion functions available at the MSC in the 
newer system and at the wireless unit which will convert key 
values, for a first communications system, such as ESP keys, 
into key values of a second communications system, such as 
keys used for older privacy algorithms. In this example, the 
conversion function should convert the 128 bit CKkey in the 
new first communication system to VPMASK/SMEKEY 
(VS) keys for the older second communication system. 
VPMASK is composed of 260 bits mask for each direction 
and SMEKEY is 64 bits long, for a total of 584 bits to be 
used by the older communication system. In case of an 
intersystem handoff from the old communication system to 
the new communication system, it may be useful for the 
conversion function to be reversible. The old communica- 
tion system does not know about the new communication 
system and will transfer all 584 bits to the new communi- 
cation system. The new communication system upon receiv- 
ing the 584 bit key will realize that it needs to recover the 
128 bit CK, and hence will compute the CK from the 584 bit 
key. 

[0046] The VS keys created at the wireless unit and the 
MSC should be the same. This means the calculation of the 
VS keys must be based solely on CK and any other quan- 
tities known by both the MSC and the wireless unit. Oth- 
erwise, any new quantities (e.g. random number) would 
have to be exchanged between the wireless unit and the 
MSC prior to the conversion. The key conversion system 
does not require the exchange of information between the 
wireless unit and the new MSC and deterministically maps 
a CK to VS keys and VS keys to a CK key. 

[0047] Additionally, weaknesses in the old communica- 
tions system should not make the new communications 
system weak. One can achieve this by making the key 
conversion function cryptographic ally one way, so that even 
if the entire key of the old communication system, such as 
the VS key in this example, is revealed, the adversary cannot 
recover the key of the new communication system, such as 
the CK key in this example. However, this will make the 
system non-reversible and, as previously noted, the key 
conversion system should be reversible. Nevertheless, the 
key conversion system can be reversible and still provide 
almost all of the security of a non-reversible function. The 
security of the key conversion system in this example 
prevents an adversary from recovering any part of the CK 



key even if almost all of the VS key is revealed except a 
small part. The adversary can guess the small part, but he 
should not be able to do any better. This aspect is important 
because parts of VPMASK may be somewhat easy to 
recover, and the entire VPMASK may be easier to recover 
than the SMEKEY Yet if some part of the old system is hard 
to recover than the adversary will not know anything about 
CK. A similar security can apply to CK so that a partial 
knowledge of CK should not tell the adversary anything 
about VS. 

[0048] In certain embodiments, the conversion function 
has two modes, the forward conversion and the reverse 
conversion. In the example of roaming from the 3G com- 
munications system to the 2G TDMA communications sys- 
tem, the forward conversion takes the 128 bit randomly 
created CK key and expands it to 584 bit VS key. The 
reverse conversion function takes the 584 bit VS keys and 
maps it to a 128 bit CKkey. In this embodiment, the forward 
conversion function is composed of 3 random functions f, g 
and h which map a given input into a random output. In this 
embodiment, these are not secret functions but public ran- 
dom functions known to everybody, including the adversary. 
These public random functions are referred to as random 
oracles in the literature. These random oracles can be 
implemented using hash functions and block ciphers as 
described below. In this example, the three random functions 
are f, g, h where f and g map a 128 bit input into a 456 bit 
random value, and h maps a 456 bit input into a 128 bit 
random value. 

[0049] FIG. 11 shows a flow diagram of an embodiment 
of the forward conversion of the key conversion system for 
converting an m-bit key value KEY1 of a first communica- 
tions system into an n-bit key value KEY2 of a second 
communications system. The m bit KEY1 is provided to a 
random function f (block 200) which maps an m-bit string 
into an n-m bit random number or first intermediate value R. 
In the example of roaming from the 3G communications 
system to the 2G TDMA communications system, the con- 
version system converts a 128 bit key CK into a 584 bit key 
(VPMASK, SMEKEY). The 128 bit key CK is provided to 
the random function f (200) which maps the 128 bit CK into 
a 456 bit random number or first intermediate value R. The 
intermediate value R is provided to a random function h 
(block 210) which maps an n-m bit string into an m bit 
random number. The m-bit output of the function h (210) is 
subject to an exclusive -or (XOR 220) with the m bit KEY1 
to produce an m-bit second intermediate value T. In the 
example of roaming from the 3G communications system to 
the 2G TDMA communications system, the 456 bit inter- 
mediate value R is provided to the function h (210). The 
function h (210) maps the 456 bit value R to a 128 bit 
random number which is XORed with the 128 bit CK to 
produce a 128 bit second intermediate value T. 

[0050] In the embodiment of FIG. 11, the m-bit interme- 
diate value T is provided to a random function g (block 230). 
The random function g (block 230) maps an m bit string to 
an n-m bit random number which is subject to an exclusive- 
or (XOR 240) with the n-m bit intermediate value R to 
produce an n-m bit key value V which can be used as a key, 
keys or portion(s) of key(s). In this embodiment, the value 
V is a portion of the value KEY2 which can be used as a key, 
keys or portion(s) of key(s). In this embodiment, the n bit 
key KEY2 includes the n-m bit value V along with the m bit 
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second intermediate value T. In the example of roaming 
from the 3G communications system to the 2G TDMA 
communications system, the random function g (230) maps 
the 128 bit intermediate value T into a 456 bit random 
number which is subject to the exclusive -or (XOR 240) with 
the 456 bit intermediate value T to produce the 456 bit key 
value V. The 456 bit value V and the 128 bit intermediate 
value T form the 584 bit key value KEY2 which in this 
example can be divided into the VPMASK and the 
SMEKEY for 2G TDMA systems. 

[0051] The forward conversion of the CK of the 3G 
system to the VPMASK and SMEKEY of the 2G TDMA 
system can be written according to the following steps. 

[0052] 1. R=f(CK)/* create a 456 bit value from 128 bit 
CK by applying f */ 

[0053] 2. T=h(R) XOR CK/* create a 128 bit value 
using h */ 

[0054] 3. V=g(T) XOR R/* create a 456 bit value using 
g */ 

[0055] 4. Output T,V/* output the 584 bit value */ 

[0056] FIG. 12 shows a flow diagram of an embodiment 
of the reverse conversion of the key conversion system for 
converting the n-bit key value KEY2 of the second com- 
munications system back into the m-bit key value KEY1 of 
the first communications system. In this embodiment, the n 
bit key value KEY2 is divided into an n-m bit first portion 
or value V and an m-bit second portion or value T. The m-bit 
value T is provided to the random function g (block 250) 
which maps an m-bit string into an n-m bit random number. 
The n-m bit random number is subjected to an exclusive-or 
(XOR 260) with the n-m bit key value V to produce the n-m 
bit first intermediate value R. In the example where the 
wireless unit roams back to the 2G TDMA system from the 
3G system, the conversion system converts the 584 bit key 
(VPMASK, SMEKEY) into a 128 bit key CK. The 128 bit 
key value portion T is provided to the random function g 
(250) which maps the 128 bit T into a 456 bit random 
number. The 456 bit random number exclusive- ORed (XOR 
260) with the 456 bit key value V to produce the 456 bit first 
intermediate value R. 

[0057] In the embodiment of FIG. 12, the n-m bit first 
intermediate value R is provided to a random function h 
(block 270). The random function h (block 270) maps an 
n-m bit string to an m bit random number which is subject 
to an exclusive-or (XOR 280) with the m bit key value T to 
produce an m bit key value KEY1 which can be used as a 
key, keys or portion(s) of key(s). In the example where the 
wireless unit roams back to the 2G TDMA system from the 
3G system, the random function h (270) maps the 456 bit 
intermediate value R into a 128 bit random number which is 
subject to an exclusive-or (XOR 280) with the 128 bit key 
value T to produce the 128 bit key CK. 

[0058] The reverse conversion of the VPMASK and 
SMEKEY of the 2G TDMA system to the CK of the 3G 
system can be written according to the following steps. 

[0059] 1. Set T,V to 584 bit input/* T is 128 bit part, V 
is 456 bit part */ 

[0060] 2. R =g(T) XOR V/* create 456 bit value R using 
T, V */ 

[0061] 3. CK =h(R) XOR T 



[0062] The random functions f, g and h can be imple- 
mented using hash functions and/or block ciphers. To imple- 
ment the random functions f, g, and h, which can be referred 
to as random oracles, cyptographic hash functions, such as 
the functions known as known as SHA-1, MD5, RIPE-MD, 
can be used to instantiate the random functions f, g, h. A hash 
function can be typically characterized as a function which 
maps inputs of one length to outputs of another, and given 
an output, it is not feasible to determine the input that will 
map to the given output. Moreover, it is not feasible to find 
two inputs which will map to the same output. In using a 
SHA-1 hash function, each call to the SHA-1 hash function 
has a 160 bit initial vector (IV) and takes a 512 bit input or 
pay load which is mapped into a 160 bit output. The IV is set 
to the IV defined in the standard for SHA-1 hash function. 
The payload will contain various input arguments: 
SHA(Type, Count, Input, Pad) where Type is a byte value 
which defines the various functions f, g, h. Function f and g 
will call SHA multiple times, and Count is a byte value 
which differentiates the multiple calls. Input is the input 
argument to the functions f, g, or h. Pad is zeroes to fill the 
remaining bit positions in the 512 bit SHA payload. Below 
is an example procedure for implementing the random 
function f, g and h using a hash function routine referred to 
as SHA. 

[0063] SHA(type,count,input,pad) 
[0064] f(CK): SHA(1, 1, CK, pad) 

[0065] SHA(1, 2, CK, pad) 

[0066] SHA(1, 3, CK, pad) mod 2 A 136 
[0067] h(R): SHA(2, 1, R, pad) mod 2 A 128 
[0068] g(T): SHA(3, 1, T, pad) 

[0069] SHA(3, 2, T, pad) 

[0070] SHA(3, 3, T, pad) mod 2 A 136 

[0071] Block ciphers, like AES, can be used to create 
functions f, g, and h. 

[0072] f(CK): E CK (1); E CK (2); E CK (3); E CK (4) mod 2 A 72; 

[0073] h(R): E K0 (R1 XOR 5) XOR E K0 (R2 XOR 6) XOR 
E K0 (R3 XOR 7) XOR E K0 (R4 XOR 8) 

[0074] g(T): E T (9); E r (10); E T (11); E T (12) mod 2 A 72; 

[0075] where in f(CK), CK is used as the key in the block 
cipher and 512 bit stream is produced by encrypting 1 . . . 
4 in counter mode. The last encryption is truncated from 128 
bit to 72 bit to get the needed 456 bits. In h(R), a public key 
K0 is used to encrypt the parts of 456 bit R and the resulting 
ciphertexts are exclusive-ored together. Rl, R2, and R3 are 
128 bit values and R4 is the remaining 72 bit value of R, 
padded with zeroes to complete 128 bits. 

[0076] Thus, the key conversion system provides bi-di- 
rectional, deterministic and secure conversion of a key(s) or 
portion(s) thereof between first and second communications 
systems. The key conversion system is secure in the forward 
direction in that given most of the output KEY2 (for 
example, T,V), an adversary cannot recover KEY1 (for 
example, CK). In the example with the 2G TDMA and 3G 
systems, if all of T and most V except say 64 bits are known, 
then parts of R can be recovered, but not all of R by 
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calculating R=g(T) XOR V. An attempt can be made to 
recover some of CK by performing CK=h(R) XOR T. 
However, since all of R is not known, even a bit of 
information about h(R) cannot be recovered, assuming h is 
a random function. Hence no information can be recovered 
about CK. Similarly, if all of V and part of T are known, 
except say 64 bits of T, then no information about CK can 
be recovered. Since we do not know all of T, the interme- 
diate value R cannot be calculated using g(T) XOR V. Thus 
without the intermediate value R, no progress can be made 
in recovering any information about CK. 

[0077] Similarly, the key conversion system is secure in 
the reverse direction in that given most of the output KEY1 
(for example, CK), an adversary cannot recover KEY2 (for 
example, T, V). In the example with the 2G TDMA and 3G 
systems, if a part of CK is known, no information about T,V 
can be recovered. Since we do not know all of CK, the 
intermediate value R cannot be calculated using f(CK). Thus 
without the intermediate value R, no progress can be made 
in recovering any information about T,V. 

[0078] In addition to the embodiment(s) described above, 
the key conversion system according to the principles of the 
present invention can be used which omit and/or add input 
parameters and/or random functions or other operations 
and/or use variations or portions of the described system. 
For example, the key conversion system has been described 
as converting between n bit key of a first communication 
system and an m bit key of a second communications system 
using random oracles f, g and h where the random oracles f 
and g map an m bit string to a n-m bit random number and 
the random oracle h maps a n-m bit string to an m bit random 
number. However, different random functions can be used as 
well as different or additional functions which map x bit 
strings to y bit random numbers and/or map y bit strings to 
x bit random numbers where x or y can be equal to n-m or 
m. Additionally, the m bit key value for the first communi- 
cations system can be a key, keys or portion(s) thereof, and 
the n bit key value for the second communications system 
can be a key, keys or portion(s) thereof. For example, the 
example with the 2G TDMA and 3G systems, the conversion 
is between the 128 bit CK of the 3G system and the 584 bit 
key value for the SMEKEY and VPMASK of the 2G TDMA 
system, but the conversion could be between a 256 bit key 
value of CK and IK of the 3G system and the 584 bit key 
value for the SMEKEY and VPMASK of the 2G TDMA 
system. 

[0079] In the example described above, a forward conver- 
sion is from the m bit key value of the first communications 
system to the n bit key value of the second communications 
system where the first communications system corresponds 
to the new system and the second communications corre- 
sponds to the old system and where m<n. However, depend- 
ing on the embodiment, the first communications system can 
be older, and the second communications system is newer. 
Alternatively, the forward conversion can be the conversion 
of the smaller size key value of one communications system 
to the larger bit size key value of another communications 
system, and the reverse conversion is the conversion of the 
larger bit size key value to the smaller size key value. 
Depending on the embodiment, the conversion of different, 
larger, smaller and/or the same size(s) of key value(s) 
between the different communications systems are possible. 



[0080] Furthermore, the key conversion system can be 
used to handle the intersystem handoffs described in the 
FIGS. 5-10 to convert a key, keys or portion(s) thereof from 
one communications system to the key, keys or portion(s) 
thereof of another communications system. It should be 
understood that different notations, references and charac- 
terizations of the various values, inputs and architecture 
blocks can be used. For example, the functionality described 
for the key conversion system can be performed in a home 
authentication center, home location register (HLR), a home 
MSC, a visiting authentication center, a visitor location 
register (VLR) and/or in a visiting MSC. Moreover, the key 
conversion system and portions thereof can be performed in 
a wireless unit, a base station, base station controller, MSC, 
VLR, HLR or other sub-system of the first and/or second 
communications system. It should be understood that the 
system and portions thereof and of the described architecture 
can be implemented in or integrated with processing cir- 
cuitry in the unit or at different locations of the communi- 
cations system, or in application specific integrated circuits, 
software -driven processing circuitry, programmable logic 
devices, firmware, hardware or other arrangements of dis- 
crete components as would be understood by one of ordinary 
skill in the art with the benefit of this disclosure. What has 
been described is merely illustrative of the application of the 
principles of the present invention. Those skilled in the art 
will readily recognize that these and various other modifi- 
cations, arrangements and methods can be made to the 
present invention without strictly following the exemplary 
applications illustrated and described herein and without 
departing from the spirit and scope of the present invention. 

1. A method of converting a first key value for a first 
communications system to a second key value of a second 
communications, said method comprising: 

generating a first intermediate value from at least a 
portion of said first key value using a first random 
function; 

providing at least a portion of said first intermediate value 
to a second random function to produce a second value; 

performing an exclusive-or on at least a portion of said 
first key value and at least a portion of said second 
value to generate a second intermediate value; 

providing at least a portion of said second intermediate 
value to a third random function to produce a third 
value; and 

producing at least a first portion of said second key value 
by performing an exclusive-or on at least a portion of 
said third value and at least a portion of said first 
intermediate value. 

2. The method of claim 1 comprising: 

producing at least a portion of said second intermediate 
value as at least a second portion of said second key 
value. 

3. The method of claim 1 wherein said generating com- 
prises the step of: 

providing said first key value of m bits to a first random 
function to produce said first intermediate value of n-m 
bits. 

4. The method of claim 3 wherein said first steps of 
providing and performing comprise: 
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providing said n-m bit first intermediate value to a second 
random function to produce an m bit second value; and 

performing an exclusive -or on said m bit first key value 
and said m bit second value to generate said second 
intermediate value with m bits. 

5. The method of claim 4 wherein said second step of 
providing and said step of producing comprise: 

providing said m bit second intermediate value to a third 
random function to produce a n-m bit third value; and 

performing an exclusive-or on said n-m bit third value and 
said n-m bit first intermediate value to generate an n-m 
bit portion of said second key value. 

6. The method of claim 5 comprising: 

providing said m bit second intermediate value as an m bit 
second portion of said second key value having n bits. 

7. The method of claim 2 further comprising the steps of: 

providing said second portion of said second key value to 
said third random function to produce said third value; 
and 

generating said first intermediate value by subjecting said 
first portion of said second key value to an exclusive-or 
with said third value. 

8. The method of claim 7 further comprises: 

using said second random function to generate said sec- 
ond value from said first intermediate value; and 

producing at least a portion of said first key by subjecting 
said second value to an exclusive-or with said second 
portion of said second key value. 

9. The method of claim 6 further comprises: 

providing said m bit first portion of said n bit second key 
value to said third random function to produce said n-m 
bit third value; and 

generating said n-m bit first intermediate value using an 
exclusive-or of said n-m bit second portion of said n bit 
second key value with said n-m bit third value. 

10. The method of claim 9 further comprises: 

providing said n-m first intermediate value to said second 
random function to generate an m bit second value; and 

producing said portion of said first key value having m 
bits by using an exclusive-or of said m bit first portion 
of said second key value with said m bit second value. 

11. A key conversion system for converting a first key 
value for a first communications system to a second key 
value of a second communications, said system comprising: 

processing circuitry adapted to generate a first interme- 
diate value from at least a portion of said first key value 
using a first random function to provide at least a 
portion of said first intermediate value to a second 
random function to produce a second value, to perform 
an exclusive-or on at least a portion of said first key 
value and at least a portion of said second value to 
generate a second intermediate value, to provide at least 



a portion of said second intermediate value to a third 
random function to produce a third value and to pro- 
duce at least a first portion of said second key value by 
subjecting at least a portion of said third value to an 
exclusive-or with at least a portion of said first inter- 
mediate value. 

12. The system of claim 11 wherein said processing 
circuitry further configured to produce at least a portion of 
said second intermediate value as at least a second portion 
of said second key value. 

13. The system of claim 12 wherein said processing 
circuitry further configured to provide said first key value of 
m bits to a first random function to produce said first 
intermediate value of n-m bits. 

14. The system of claim 13 wherein said processing 
circuitry further configured to provide said n-m bit first 
intermediate value to a second random function to produce 
an m bit second value and to perform an exclusive-or on said 
m bit first key value and said m bit second value to generate 
said second intermediate value with m bits. 

15. The system of claim 14 wherein said processing 
circuitry configured to provide said m bit second interme- 
diate value to a third random function to produce a n-m bit 
third value and to perform an exclusive-or on said n-m bit 
third value and said n-m bit first intermediate value to 
generate an n-m bit portion of said second key value. 

16. The system of claim 15 wherein said processing 
circuitry configured to provide said m bit second interme- 
diate value as an m bit second portion of said second key 
value having n bits. 

17. The system of claim 12 wherein said processing 
circuitry configured to provide said second portion of said 
second key value to said third random function to produce 
said third value and to generate said first intermediate value 
by subjecting said first portion of said second key value to 
an exclusive-or with said third value. 

18. The system of claim 17 wherein said processing 
circuitry configured to use said second random function to 
generate said second value from said first intermediate value 
and produce at least a portion of said first key by subjecting 
said second value to an exclusive-or with said second 
portion of said second key value. 

19. The system of claim 16 wherein said processing 
circuitry configured to provide said m bit first portion of said 
n bit second key value to said third random function to 
produce said n-m bit third value and to generate said n-m bit 
first intermediate value using an exclusive-or of said n-m bit 
second portion of said n bit second key value with said n-m 
bit third value. 

20. The system of claim 19 wherein said processing 
circuitry is configured to provide said n-m first intermediate 
value to said second random function to generate an m bit 
second value and to produce said portion of said first key 
value having m bits by using an exclusive-or of said m bit 
first portion of said second key value with said m bit second 
value. 



